Use
the Administrative Group Roles page to give groups
specific authority to administer application servers through tools
such as the administrative console or wsadmin scripting. The authority
requirements are only effective when administrative security is enabled.
Use the Common Object Request Broker Architecture (CORBA) naming service
groups page to manage CORBA Naming Service groups settings.
To view the Console Groups administrative
console page, complete
either of the following steps:
- Click Security > Global
security > Administrative Group
Roles.
- Click Users and Groups > Administrative Group
Roles.
To view the CORBA naming service groups
administrative console
page, click Environment > Naming > CORBA Naming Service Groups.
Click Refresh All to automatically update
the node agent and all of the nodes when a new user is created with
the Administrator or Admin Security Manager role. When you click Refresh
All, you do not need to manually restart the node agent
under an existing Administrator before the new user is recognized
with one of these roles. This button automatically invokes the AuthorizationManager
refreshAll MBean method. To invoke this method manually, read about
Fine-grained administrative security in heterogeneous and single-server
environments.
Identifies CORBA naming service
groups.
In previous
releases of WebSphere® Application Server, there were
two default groups: ALL AUTHENTICATED and EVERYONE. However, EVERYONE
is now the only default group, and it provides CosNamingRead privileges
only.
Data type: |
String |
Range: |
EVERYONE |
Identifies
naming service group roles.
A number of naming
roles are defined to provide the degrees of
authority that are needed to perform certain application server naming
service functions. The authorization policy is only enforced when
global security is enabled.
Four name space security roles
are available: CosNamingRead, CosNamingWrite,
CosNamingCreate, and CosNamingDelete. The roles have authority levels
from low to high:
- Cos Naming Read
- You can
query the application server name space using, for example,
the Java Naming and Directory Interface (JNDI) lookup
method. The EVERYONE special-subject is the default policy for this
role.
- Cos Naming Write
- You can
perform write operations such as JNDI bind, rebind, or
unbind, and CosNamingRead operations. The ALL_AUTHENTICATED special-subject
is the default policy for this role.
- Cos
Naming Create
- You can create new objects in the name space
through operations
such as JNDI createSubcontext and CosNamingWrite operations. The ALL_AUTHENTICATED
special-subject is the default policy for this role.
- Cos Naming Delete
- You can destroy objects in
the name space, for example using the
JNDI destroySubcontext method and CosNamingCreate operations. The
ALL_AUTHENTICATED special-subject is the default policy for this role.
Data type: |
String |
Range: |
CosNamingRead, CosNamingWrite,
CosNamingCreate, and CosNamingDelete |
Specifies
groups.
The ALL_AUTHENTICATED and the EVERYONE
groups can have the following
role privileges: Administrator, Configurator, Operator, and Monitor.
Data type: |
String |
Range: |
ALL_AUTHENTICATED, EVERYONE |
Specifies
user roles.
The following administrative roles
provide different degrees of
authority needed to perform certain application server administrative
functions:
- Administrator
- The
administrator role has operator permissions, configurator
permissions, and the permission that is required to access sensitive
data, including server password, Lightweight Third Party Authentication
(LTPA) password and keys, and so on.
- Operator
- The operator role has monitor permissions and can change the run-time
state. For example, the operator can start or stop services.
- Configurator
- The configurator role
has monitor permissions and can change the
application server configuration.
- Deployer
- The deployer role can perform both configuration actions and runtime
operations on applications.
- Monitor
- The
monitor role has the least permissions. This role primarily
confines the user to viewing the application server configuration
and current state.
- iscadmins
- The iscadmins role has administrator
privileges for managing users
and groups from within the administrative console only.
Note: To manage
users and groups, click Users and Groups in the console navigation
tree. Click either Manage Users or Manage Groups.
- Auditor
- The auditor can view and modify
the configuration settings for
the security auditing subsystem. The auditor role includes the monitor
role.
Data type: |
String |
Range: |
Administrator, Operator,
Configurator, Monitor, Deployer
and iscadmins |
Note: Other arbitrary administrative roles might also be visible in
the administrative console collection table. Other contributors to
the console might create these additional roles, which can be used
for applications that are deployed to the console.